KR101135629B1 - Method and apparatus for preventing autorun of portable USB storage - Google Patents

Abstract

The present invention relates to a technology for creating an autorun file used at the time of autorun to prevent autorun of a USB type of removable storage device so that any user or worm virus cannot manipulate the autorun file. The automatic execution prevention method according to an example may include accessing at least one of a master file table entry of a root directory and a master file table entry of an autoexecution file and automatically accessing at least one master file table entry accessed. Setting execution prevention.

Autorun Prevention, Autorun, USB, NTFS

Description

Method and apparatus for preventing autorun of portable USB storage device {Method and apparatus for preventing autorun of portable USB storage}

The present invention relates to an automatic execution prevention function setting of a portable USB storage device. More particularly, the present invention relates to a method and an apparatus for preventing random deletion and access to an automatic execution setting file, Autorun.inf.

Windows' Autorun feature is a technology that automatically runs programs when you insert media such as CDs or DVDs or USB memory into your computer. Recently, as a portable storage device such as USB has become common as a data moving means, an automatic execution function is also widely used.

Recently, however, the automatic execution function of portable storage devices such as USB has been used as a means of spreading infections of malicious codes such as viruses and worms. Recently, 'Confiker' and '2090 Virus', which infected many PCs, are copied to the computer by the auto-run function of the Windows operating system as soon as the infected USB is installed on the computer. Infected.

Therefore, there is a need for a method of preventing the transmission and infection by preventing automatic execution in the USB storage device itself.

Accordingly, an aspect of the present invention is to provide a method and apparatus for recognizing a volume included in an NTFS file system of a removable storage device, and for deleting and accessing an autorun file.

The object of the present invention is not limited to the above-mentioned object, and other objects which are not mentioned will be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, an automatic execution prevention method includes: accessing and accessing at least one of a master file table entry of a root directory and a master file table entry of an automatic execution file; Setting an automatic execution prevention on the at least one master file table entry.

According to another aspect of the present invention, the automatic execution prevention device checks whether the automatic execution prevention is set in the volume of the access module and the removable storage device that accesses the portable storage device, and prevents the automatic execution if the automatic execution prevention is not set. It includes an automatic execution prevention module to set.

Specific details of other embodiments are included in the detailed description and the drawings.

According to an embodiment of the present invention, the present invention sets the automatic execution prevention directly to a USB type portable storage device, thereby preventing the transmission of worm virus to the USB type portable storage device even when mounted on any PC. To provide the effect.

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in various forms, and only the present embodiments are intended to complete the disclosure of the present invention, and the general knowledge in the art to which the present invention pertains. It is provided to fully convey the scope of the invention to those skilled in the art, and the present invention is defined only by the scope of the claims. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. As used herein, “comprises” and / or “comprising” refers to the presence of one or more other components, steps, operations and / or elements. Or does not exclude additions.

In the following description, a removable storage device is a USB storage device having NTFS as a file system.

A method and apparatus for preventing automatic execution of a mobile storage device according to an embodiment of the present invention will be described with reference to FIGS. 1 to 3. 1 is a block diagram illustrating an automatic execution prevention apparatus according to an embodiment of the present invention, Figure 2 is a flow chart showing a method for checking whether the automatic execution prevention function is set in the removable storage device, Figure 3 Is a flowchart illustrating a method of setting an automatic execution prevention function in a removable storage device.

Referring to FIG. 1, the apparatus for preventing automatic execution according to the embodiment includes an access module 100, a volume / file system recognition module 200, an automatic execution prevention module 300, 400, and a user interface module 500.

The access module 100 accesses the USB storage device 600 to read and write data.

The volume / file system recognition module 200 obtains information of the USB storage device 600 and recognizes a drive name of each volume and a file system existing in the volume (S210).

The automatic execution prevention module 300 or 400 checks whether the automatic execution prevention is set in the USB storage device 600, and sets the automatic execution prevention if the automatic execution prevention is not set. The automatic execution prevention module 300, 400 includes an automatic execution prevention inspection unit 300 and an automatic execution prevention setting unit 400.

The automatic execution prevention inspection unit 300 checks whether the automatic execution prevention setting is applied to the USB storage device 600 (S220), and provides information on whether the automatic execution prevention is set through the user interface module 500. Provided (S230).

The automatic execution prevention setting unit 400 sets the automatic execution prevention for the volume for which the automatic execution prevention is not set from the information determined by the automatic execution prevention checking unit 300 whether the automatic execution prevention is set. For example, access to the Autorun.inf file can be prevented by directly accessing the disk of the removable storage device and manipulating (or changing) the index attribute of the root directory. In addition, access to the autorun file may be prevented by manipulating (or changing) an attribute of the master file table entry (hereinafter referred to as MFT entry) of the autorun file.

Specifically, when the volume / file system recognition module 200 acquires information about the file system after recognizing the volume of the USB storage device (600) (S310), the automatic execution prevention setting unit 400 is the MFT of the root directory By accessing the entry (S320), it is possible to set the automatic execution prevention in the MFT entry (S330). Then, by accessing the MFT Entry of the autorun file, for example, the Autorun.inf file (hereinafter, the autorun file is an Autorun.inf file as an example), autorun prevention is set in the MFT Entry (S350). .

If the Autorun.inf file does not exist in the USB storage device 600, Autorun.inf may be generated and autorun prevention may be set in the MFT entry of the generated Autorun.inf file. Alternatively, if Autorun.inf already exists, you can back up the existing Autorun.inf file, create a new Autorun.inf file, and set autorun protection on the MFT Entry of the created Autorun.inf file. have. In addition, access to the Autorun.inf file can be prevented by using a security descriptor when generating the Autorun.inf file. Alternatively, as described above, the autorun file whose attributes are manipulated (or changed) may not be deleted. Detailed description thereof will be described later with reference to FIG. 8.

Meanwhile, the user interface module 500 provides a user with a drive name, file system information, and automatic execution prevention setting of the volumes recognized by the volume / file system recognition module 200 and 400.

As described above, the automatic execution prevention method and apparatus according to an embodiment of the present invention analyzes a USB type removable storage device 600 mounted on a PC, recognizes a volume and a file system, and determines whether to set automatic execution prevention. Enable autorun protection for volumes that are not yet created. That is, by setting the automatic execution prevention function on the removable storage device 600 itself, it is possible to prevent virus infection due to automatic execution even if mounted on any PC.

More specifically, for example, before describing the automatic execution prevention method and apparatus according to the embodiment, with reference to FIGS. 4 to 7 for the Master File Table (hereinafter referred to as MFT) and MFT Entry of NTFS. Explain. 4 is a conceptual diagram illustrating the structure of NTFS, FIG. 5 is a conceptual diagram illustrating each MFT Entry structure of FIG. 4, FIG. 6 is a conceptual diagram illustrating a $ INDEX_ROOT attribute, which is one of attributes of an MFT Entry, and FIG. 7 is a diagram of an MFT Entry. This is a conceptual diagram showing the $ INDEX_ALLOCATION property, which is one of the properties.

Referring to FIG. 4, the structure of NTFS may be divided into a boot area, an MFT area, and a data area. NTFS manages files and directories through MFT, and the actual information is stored in the data area. An MFT is a set of MFT entries, and one MFT Entry contains information about one file or directory. Typically, information of one file or directory is stored in one MFT entry. If the information of a file or directory cannot be stored in one MFT entry, the information is stored in several MFT entries. When the information of a file or directory is divided and stored in several MFT entries, the base MFT entry is called a base MFT entry, and the rest of the MFT entries except the base MFT entry are called non-base MFT entries. The size of the MFT entry is recorded in the boot record (BR). In the case of the NTFS file system, the size of one MFT entry is 1Kbyte. In the MFT entry, metadata information of a file is stored in each attribute, and the attribute is composed of an attribute header and an attribute stream (see FIG. 5). In the NTFS system, the contents of the physical file are also managed by the $ DATA property. If the data is small, it exists as a stream within the MFT entry (this is called the Resident property). However, if the data is large, the data is stored separately in the data area. Only the location of the data area where data is stored is stored inside (this is called Non-Resident attribute).

Referring to Table 1 below, the number assigned to the MFT entry will be described in detail.

[Table 1]

EntryNumber FileName Explanation 0 $ MFT File containing the entire contents of the MFT Entry One $ MFTMirr Backup of MFT Files 2 $ LogFile Transaction logging 3 $ Volume Store label, version, serial number, creation time, dirty flag, etc 4 $ AttrDef Property Definition 5 . (Dot) The root directory of the file system 6 $ Bitmap File system allocation management information 7 $ Boot Boot record 8 $ BadClus Bad cluster list 9 $ Quota (NT) Disk Quota Information 9 $ Secure (2K) Security and access rights information 10 $ Upcase Store uppercase letters of Unicode characters 11 $ Extend (2K) Extension information directory: $ ObjId, $ Quota, $ Reparse, $ UsnJrnl 12-15 <Unused> It is set to busy but is empty. 16-23 <Unused> Empty Any $ ObjId (2K) Save unique ID information of file Any $ Quota (2K) Save Quota Information Any $ Reparse (2K) Reparse point information Any $ UsnJrnl (2K) File or Directory Change History 24 ~ General Files and General Directories

Referring to Table 1, MFT entries 0 to 15 are allocated to metadata files storing file system management data, and when a new file is created, the last number MFT assigned to existing metadata files The MFT Entry following the Entry has a structure which is assigned to newly created metadata files sequentially or to an empty MFT Entry.

Referring to FIG. 5, the MFT Entry internal structure will be described. The MFT Entry is divided into an MFT Entry Header and an Attribute. The MFT Entry Header contains information and status of the MFT Entry. The size of the MFT Entry Header may vary depending on the Windows version, and the size of the item in the MFT Entry Header is included. Attributes are data structures containing various information of files. The types of attributes are shown in Table 2 below.

TABLE 2

Attribute Name IDENTIFIER in Attribute Header $ STANDARD_INFORMATION 10 00 00 00 $ ATTRIBUTE_LIST 20 00 00 00 $ FILE_NAME 30 00 00 00 $ OBJECT_ID 40 00 00 00 $ SECURITY_DESCRIPTOR 50 00 00 00 $ VOLUME_NAME 60 00 00 00 $ VOLUME_INFORMATION 70 00 00 00 $ DATA 80 00 00 00 $ INDEX_ROOT 90 00 00 00 $ INDEX_ALLOCATION A0 00 00 00 $ BITMAP B0 00 00 00 $ REPARSE_POINT C0 00 00 00 $ EA_INFORMATION D0 00 00 00 $ EA E0 00 00 00 $ LOGGED_UTILITY_STREAM 00 01 00 00

 All attributes are divided into Attribute Header and Attribute Contents. Attributes have different structure according to attribute, but attribute header has two kinds of structure, Resident and Non-Resident attribute. do. The rest of the MFT Entry minus the MFT Entry Header stores the property information of the file. In Microsoft Windows, MFT Entry is also called File Record.

Next, the structure of the MFT Entry Header will be described with reference to Table 3 below.

[Table 3]

Offset name Explanation 0-3 Signature ‘FILE’ string 4 ~ 5 Offset of Fixup Array Location of Fixup Array 6 ~ 7 Count of Fixup Value The number of items in the Fixup array 8-15 LogFile Sequence Number The position value of the transaction 16-17 Sequence Value Sequence value 18-19 Hard Link Count Hard Link Count 20-21 Offset to first Attribute Offset where the first attribute starts 22-23 Flags Status or property information of the MFT Entry 24 ~ 27 Used Size of MFT Entry MFT Entry Actual Size Used 28-31 Allocated Size of MFT Entry MFT entry allocation size, 1024 bytes 32-39 File Reference to Base MFT Entry File Reference Address of Base MFT Entry for Non base MFT Entry 40-41 Next Attribute ID IDs of attributes that are assigned only within the MFT Entry

Referring to Table 3, the size of the MFT Entry Header is configured at offsets 20 to 21 bytes, and a flag indicating a state of an attribute of the corresponding MFT Entry is assigned to offsets 22 to 23 bytes. The state of the MFT Entry for the value of the flag is shown in Table 4 below.

[Table 4]

Flag value Explanation 00 00 The MFT Entry means Deleted File 01 00 The MFT Entry means the file being used (Allocated File) 02 00 The MFT Entry is the Deleted Directory Meaning 03 00 The MFT Entry is the directory in use (Allocated Directory).

Next, an index entry of Autorun.inf can be found in MFT Entry No. 5 of FIG. 4. To describe this, the index structure will be described with reference to FIGS. 6 and 7.

NTFS manages indexes in a B-Tree fashion to support fast retrieval of data. Index management is managed by two attributes of $ INDEX_ROOT and $ INDEX_ALLOCATION in MFT Entry. There are two main types of indexes: the small index (Small Index or Small Directory) structure consisting of only the $ INDEX_ROOT containing the top index node, and the $ INDEX_ROOT and $ INDEX_ALLOCATION attributes when the index entry is too large to form a small index. It is managed as a large index (large index or large directory).

6 shows the $ INDEX_ROOT structure, and FIG. 7 shows the $ INDEX_ALLOCATION structure. You can find the index entry of Autorun.inf among the index entries in $ INDEX_ROOT and $ INDEX_ALLOCATION of the index structure.

Meanwhile, the index entry of FIGS. 6 and 7 may be configured as shown in Table 5 below.

TABLE 5

Offset name Explanation 0-7 File Reference Address of filename MFT address value of the file or directory 8-9 Length of this Index Entry Total size of index entry 10-11 Length of $ FILE_NAME The size of the $ FILE_NAME attribute contained by the index entry 12-15 Flags Index Entry Status 16 ~ $ FILE_NAME attribute Copy of the $ FILE_NAME attribute of that file or directory Last 8 bytes VCN of child node in $ INDEX_ALLOCATION If the index entry has a child, the position value of the child's index node

Starting at offset 16, the $ FILE_NAME property of the files under the directory is maintained in the index entry. In Windows Explorer, the index structure is analyzed and shown when selecting a specific directory and showing the sub-file / directory.

Table 6 below shows the configuration of the $ STANDARD_INFORMATION attribute to which an attribute type ID value of 0x00000010 is assigned in Table 2.

TABLE 6

Offset name Explanation 0-7 Creation time Generation time 8-15 Modified Time Modification time 16-23 MFT Modified Time MFT modification time 24-31 Accessed Time Approach time 32-35 Flags File attributes 36-39 Maximum number of Version Maximum version of the file 40-43 Version Number Version of the file 44-47 Class ID Class ID Information 48-51 Owner ID Owner ID 52-55 Security ID ID used for $ SECURE file 56-63 Quota Charged The weight of this file in the user's limit 64-71 Update Sequence Number Contains the last Update Sequence Number of the file

The $ STANDARD_INFORMATION attribute is present in all files and directories and contains information such as file creation time and date, file owner and security descriptor, and file size. There is a flag indicating the characteristics of the file at offset 32 ~ 35 bytes in the contents of $ STANDARD_INFORMATION attribute. The meaning of this flag is shown in Table 7 below.

TABLE 7

Flag value Explanation Flag value Explanation 01 00 00 00 Read only 00 01 00 00 Temporary 02 00 00 00 Hidden 00 02 00 00 Sparse file 04 00 00 00 System 00 04 00 00 Reparse Point 20 00 00 00 Archive 00 08 00 00 Compressed 40 00 00 00 Device 00 10 00 00 Offline 80 00 00 00 Normal 00 20 00 00 Not Content Indexed 00 40 00 00 Encrypted

Table 8 below shows the configuration of the $ FILE_NAME attribute to which an attribute type ID value of 0x00000030 is assigned in Table 2.

[Table 8]

Offset name Explanation 0-7 File Reference Address of Parent Directory MFT address of parent directory 8-15 Creation time Generation time 16-23 Modified Time Modification time 24-31 MFT Modified Time MFT modification time 32-39 Accessed Time Approach time 40-47 Allocated Size of File File allocation size 48-55 Real Size of File The actual size of the file 56-59 Flags File attributes 60-63 Reparse Value Reparse Type 64-64 Length of FileName The length of the name 65-65 Name space Name format 66 ~ Name File name

 The $ FILE_NAME attribute contains information related to the name of a file or directory. There is a flag indicating the characteristics of the file at offset 56 ~ 59 bytes in the contents of $ FILE_NAME attribute. The meaning of this flag is shown in Table 9 below.

TABLE 9

Flag value Explanation Flag value Explanation 01 00 00 00 Read only 00 01 00 00 Temporary 02 00 00 00 Hidden 00 02 00 00 Sparse file 04 00 00 00 System 00 04 00 00 Reparse Point 20 00 00 00 Archive 00 08 00 00 Compressed 40 00 00 00 Device 00 10 00 00 Offline 80 00 00 00 Normal 00 20 00 00 Not Content Indexed 00 40 00 00 Encrypted 00 00 00 10 Directory 00 00 00 20 Index View

In the above, exemplary MFT and MFT entry of NTFS have been described. Hereinafter, with reference to Figures 8 to 10, the automatic execution prevention device and method according to an embodiment of the present invention will be described in detail. FIG. 8 is a flowchart illustrating an automatic execution prevention method according to an embodiment of the present invention, FIG. 9 is an exemplary conceptual diagram illustrating a form in which information of an Autorun.inf file is divided and stored in a plurality of MFT entries, and FIG. 10 is FIG. Is a flowchart for explaining a detailed step S810.

The method of setting the autorun prevention function can be largely composed of two steps: generating an autorun.inf file and setting the autorun function on the generated autorun.inf file.

Specifically, when the automatic execution prevention checker 300 determines whether the automatic execution prevention is set for each volume (S810), the automatic execution prevention setting unit 400 is not set by using the determination result of whether the setting is performed. If not, the existence of the Autorun.inf file on the top of the volume is checked (S820). For example, the directory index structure stored in the root directory MFT Entry 5 (see FIGS. 5 to 7) may be checked whether or not there is Index Entry information of the Autorun.inf file. If the Autorun.inf file exists, a backup of the existing file is performed (S830), and a new Autorun.inf file (or folder) is created for setting autorun prevention (S840).

While creating an Autorun.inf file (or folder), the following two methods can be performed sequentially.

Firstly, the step of setting access control of a file may be performed. In NTFS, files and directories can be created using CreateFile and CreateDirectory functions. Each file and directory can be set up with a user's security descriptor, and access control can be set to prevent access. This can be set in the Discretionary Access Control List (DACL) in the lpSecurityDescriptor in Table 12 by using the lpSecurityAttributes argument pointing to the SECURITY_ATTRIBUTES structure of the CreateDirectory function in Table 10 or the CreateFile function in Table 11.

TABLE 10

BOOL WINAPI CreateDirectory (
__in LPCTSTR lpPathName,
__in LPSECURITY_ATTRIBUTES lpSecurityAttributes,
);

TABLE 11

HANDLE WINAPI CreateFile (
__in LPCTSTR lpFileName,
__in DWORD dwDesiredAccess,
__in DWORD dwShareMode,
__in LPSECURITY_ATTRIBUTES lpSecurityAttributes,
__in DWORD dwCreationDisposition,
__in DWORD dwFlagsAndAttributes,
__in HANDLE hTemplateFile
);

TABLE 12

typedef struct _SECURITY_ATTRIBUTES {
DWORD nLength;
LPVOID lpSecurityDescriptor;
BOOL bInheritHandle;
} SECURITY_ATTRIBUTES, * PSECURITY_ATTRIBUTES, * LPSECURITY_ATTRIBUTES;

This setting does not allow read / write / execute privileges for users, including administrators, but prevents users from accessing the created Autorun.inf file / directory. Table 13 below is an example of pseudo code that creates Autorun.inf directory when USB is recognized as E drive.

 TABLE 13

Int MakeAutorunDir ()
{
SECURITY_ATTRIBUTES sa;

CreateDACL &&; // generate DACL

CreateDirectory (TEXT (“E: \\ Autorun.inf”, &sa);

}

Second, applying the $ ATTRIBUTE_LIST attribute of NTFS to make the file of Autorun.inf difficult to access in terms of file system can be performed.

As described above, if the size of an attribute of a file or directory is too large or there are many attributes, it cannot be stored in a single MFT entry. Therefore, the attribute is divided into several MFT entries. Has information about whether By applying a security descriptor, the $ ATTRIBUTE_LIST attribute is saved when the information on Autorun.inf is stored in the MFT entry when creating a file, so that the $ FILE_NAME attribute does not exist in the base MFT entry. An example of the MFT Entry configuration of the Autorun.inf file (or folder) generated in this way is shown in FIG. 9.

Referring to FIG. 9, assuming that the base MFT entry of the generated Autorun.inf file (or folder) is 100, the $ ATTRIBUTE_LIST attribute is stored in the 100 base MFT entry, whereby other attributes are non-Base MFT entries. It is stored at 120. Base MFT entry 100 is composed of MFT header, $ STANDARD_INFORMATION, $ ATTRIBUTE_LIST attributes, and base 120 MFT entry may be composed of MFT header, $ FILE_NAME, $ INDEX_ROOT, $ INDEX_ALLOCATION, and $ BITMAP attributes. To prevent malicious attempts to turn off autorun protection, the meta information of the file is distributed and stored in multiple MFT entries.

In step 2, the INDEX_ROOT and INDEX_ALLOCATION attributes are analyzed in the 5th root directory MFT entry using the access module 500 (S850) to find the index entry of the previously created Autorun.inf file (or folder). Set the attribute flag of the $ FILE_NAME attribute portion of the Index Entry of the Autorun.inf file (or folder) thus found to [06 00 00 10], and the Autorun.inf file (or MFT Entry number of the folder) is extracted (S860). This setting causes the file to be recognized as a hidden and system property. Index property is a property that Windows supports to manage the directory. In the case of Windows Explorer, index property is displayed by reading the index. Therefore, if the attribute flag of the $ FILE_NAME attribute portion of the Index Entry of the Autorun.inf file (or folder) is set to [06 00 00 10], the file is not displayed by a function such as Windows Explorer.

Next, using the MFT Entry number of the Autorun.inf extracted from the Index Entry of the Autorun.inf file (or folder) in step S860, the analysis is moved to the MFT Entry of the Autorun.inf file (or folder). The state flag of the header in the MFT Entry of the Autorun.inf file (or folder) may be set (S870), and the attribute flag of the MFT Entry of the Autorun.inf file (or folder) may be set (S880).

Specifically, the status flag of the header (see FIG. 9) in the MFT Entry of the Autorun.inf file (or folder) may be set to [02 00]. This setting means that the MFT Entry in the Autorun.inf file (or folder) is the deleted directory (see Table 4), but the index of the actual root directory has the index entry of that Autorun.inf and remains in the index. This has the effect of preventing access to the Autorun.inf file (or folder).

Next, the $ STANDARD_INFORMATION attribute and the $ FILE_NAME attribute flag (see FIG. 9) of the MFT Entry of the Autorun.inf file (or folder) are set to [06 00 00 00] and [06 00 00 10]. MFT Entry in the root directory sets the hidden and system properties as set in the Index Entry.

Table 14 below shows the aforementioned contents, that is, an object accessed by the automatic execution prevention setting unit 300 (eg, an MFT entry in a root directory, an MFT entry in an Autorun.inf file), and a setting value in which a flag is set in an accessed object. This is the result.

[Table 14]

Access MFT Entry Set target Common value Setting value MFT Entry, root directory 5 Property flag located at offset 56-59 of $ FILE_NAME in Index Entry of Autorun.inf 00 00 00 10 06 00 00 10
06 00 00 00 MFT Entry in Autorun.inf MFT Entry status flag located at offset 22-23 in MFT Header D: 03 00
F: 01 00 D: 02 00
F: 00 00 Property flag located at offset 32-35 of $ STANDARD_INFORMATION 00 00 00 00 06 00 00 00 Attribute flag located at offset 56-59 of $ FILE_NAME 00 00 00 10 D: 06 00 00 10
F: 06 00 00 00

D: Create directory, F: Create file

After the configuration is completed, the USB device is detached by calling the Detach function of the device to recognize the new configuration (S890).

Referring to FIG. 10, step S810 of FIG. 8 will be described in detail.

First, the MFT entry of the root directory is analyzed, and $ INDEX_ROOT and $ INDEX_ALLOCATION properties, which are index management properties, are analyzed (S1010), and an index entry of an autorun.inf file exists among index entries that store information of each file. Find out. If there is no index entry in the Autorun.inf file, it is determined that there is no automatic execution prevention setting. If there is an index entry in the autorun.inf file, the index entry is analyzed and the $ FILE_NAME attribute information starting at offset 16 bytes is checked to check the flag setting value, and at offset 0-7 in the index entry entry of the autorun.inf file. The MFT Entry number of the Autorun.inf file is extracted by parsing the File Reference Address value located (S1020). For example, if the flag setting value is [06 00 00 10] by analyzing the $ FILE_NAME attribute information, it may be determined that the automatic execution prevention function is set to be set (see Table 14).

Move to the MFT Entry number of the extracted Autorun.inf file and execute the following check. Specifically, the flag located at offset 22 to 23 bytes of the header in the MFT Entry of the Autorun.inf file is checked (S1030). For example, if the flag value is, it can be determined that the automatic execution prevention function is set to set (see Table 14).

 Thirdly, a flag of the $ STANDARD_INFORMATION attribute is checked, and a fourth flag of the $ FILE_NAME attribute is checked (S1040). For example, if the flag value is [06 00 00], it can be determined that the automatic execution prevention function is set (see Table 14).

As mentioned above, although the structure of this invention was demonstrated in detail with reference to the preferred embodiment, those of ordinary skill in the art to which this invention is implemented may be implemented in another specific form, without changing the technical idea or an essential feature. I can understand that you can. For example, the program for realizing the partition recovery method of the present invention may be implemented in various forms such as a recording medium in which a program is recorded. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. The scope of the present invention is shown by the following claims rather than the detailed description, and all changes or modifications derived from the claims and their equivalents should be construed as being included in the scope of the present invention.

1 is a block diagram illustrating an automatic execution prevention apparatus according to an embodiment of the present invention.

2 is a flowchart illustrating a method of checking whether an automatic execution prevention function is set in a portable storage device.

3 is a flowchart illustrating a method of setting an automatic execution prevention function in a portable storage device.

4 is a conceptual diagram illustrating the structure of NTFS.

FIG. 5 is a conceptual diagram illustrating each MFT Entry structure of FIG. 4.

6 is a conceptual diagram illustrating a $ INDEX_ROOT attribute, which is one of attributes of an MFT entry.

7 is a conceptual diagram illustrating a $ INDEX_ALLOCATION attribute which is one of attributes of an MFT entry.

8 is a flowchart illustrating an automatic execution prevention method according to an embodiment of the present invention.

9 is an exemplary conceptual diagram illustrating a form in which information of an Autorun.inf file is divided and stored in a plurality of MFT entries.

FIG. 10 is a flowchart for describing operation S810 of FIG. 8 in detail.

Claims (17)

delete Accessing a Master File Table Entry in the root directory; Analyzing the master file table entry of the accessed root directory to retrieve an index entry of an autorun file; And Setting an attribute flag in an index entry of the retrieved autorun file to a specific value; How to prevent the automatic execution of the removable storage device comprising a. 3. The method of claim 2, As the attribute flag is set to the specific value, the attribute of the autorun file is changed to a hidden attribute or a system attribute Method of automatic execution of automatic removable storage device. Accessing a master file table entry of an autoexecutable file; And Setting an attribute flag or a state flag of a header in a master file table entry of the accessed autoexecutable file to a specific value; Automatic execution prevention method of a removable storage device comprising a. The method of claim 4, wherein When the attribute flag or status flag is set to the specific value, the auto executable file is recognized as a deleted or corrupted file, or the property of the auto executable file is changed to a hidden property or a system property. Method of automatic execution of automatic removable storage device. Generating an auto executable file; After the autorun file is generated, accessing at least one of a master file table entry of a root directory and a master file table entry of the autorun file; And Setting automatic execution prevention on the accessed at least one master file table entry; Automatic execution prevention method of a removable storage device comprising a. The method of claim 6, wherein the generating step Establishing an access control to prevent access to the autoexecutable file using a security descriptor; Method of automatic execution of automatic removable storage device. The method of claim 6, wherein the generating step Distributing and storing information of the generated autoexecutable file in a plurality of master file table entries; Method of automatic execution of automatic removable storage device. Determining whether automatic execution prevention is set on a volume of the removable storage device; Accessing at least one of a master file table entry of a root directory and a master file table entry of an autoexecuting file if autoexecution prevention is not set as a result of the determination; And Setting automatic execution prevention on the accessed at least one master file table entry; Automatic execution prevention method of a removable storage device comprising a. The method of claim 9, wherein the determining step Analyzing a master file table entry of the root directory to find an index entry of the autorun file; Checking attribute flag values in an index entry of the autorun file; And Analyzing a master file table entry of the autoexec file and checking a state flag value of an attribute flag or a header; Method of automatic execution of automatic removable storage device. The method of claim 10, wherein the determining step Determining that the automatic execution prevention is not set when the index entry does not exist; And Generating the auto-execution file further. Method of automatic execution of automatic removable storage device. delete An access module for accessing the removable storage device; And An automatic execution prevention inspection unit that checks whether the automatic execution prevention is set in the volume of the portable storage device, and sets the automatic execution prevention in the master file table entry of the root directory and the master file table entry of the automatic execution file An automatic execution prevention module including an automatic execution prevention setting unit; Automatic execution prevention device of a removable storage device comprising a. The method of claim 13, wherein the automatic execution prevention inspection unit Inspecting an attribute flag value in an index entry of the autoexecutable file obtained by analyzing a master file table entry of the root directory, Analyze the master file table entry of the auto-execution file and examine the state flag value of the attribute flag or header, Determining whether the automatic execution prevention is set from the inspection results Automatic execution prevention device of removable storage device. The method of claim 13, wherein the automatic execution prevention setting unit Setting an attribute flag in the index entry of the autoexecutable file obtained by analyzing the master file table entry of the root directory to a specific value; or Setting an attribute flag or a header state flag in a master file table entry of the autoexecutable file to a specific value Automatic execution prevention device of removable storage device. The method of claim 15, wherein the automatic execution prevention setting unit If the auto-execution file does not exist in the portable storage device, an auto-execution file is generated. Setting access control to prevent access to the autoexecutable file by using a security descriptor or distributing and storing information of the generated auto executable file in a plurality of master file table entries Automatic execution prevention device of removable storage device. The method of claim 16, wherein the automatic execution prevention setting unit If an autorun file already exists in the portable storage device, the existing autorun file is backed up, the new autorun file is created, the access control is set while the new autorun file is created, and the information of the generated autorun file is a plurality of masters. Distributed over file table entries Automatic execution prevention device of the mobile storage tooth.

Images